PERSONAL DATA PROCESSING TERMS

  1. DEFINITIONS. Terms defined elsewhere in Company’s and Client’s Agreement shall have the same respective meanings as are given them elsewhere in such Agreement. In addition, for the purposes of this Schedule, the following terms shall have the respective meanings ascribed to them as follows:
    1. Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a person;
    2. EEA” means the European Economic Area;
    3. EU” means the European Union;
    4. Privacy Shield” means the EU-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 dated July 12, 2016;
    5. Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of July 12, 2016, details of which can be found at www.privacyshield.gov/eu-us-framework;
    6. Client Personal Data” means all Personal Data provided by Client to Company under the Agreement. Such Personal Data relates to User(s) (i.e. they are the Data Subjects) and may comprise any or all of the following: IP address; city/country/ZIP code; longitude/latitude; Company’s unique ID for the Data Subject who will (or is intended to) see the Advertising served under the Agreement;
    7. Purpose” means the purpose of performing the Services under the Agreement, including: (i) as necessary, making Client Personal Data available to DSPs and Advertisers in order that they can negotiate for the purchase of Advertising Inventory; and (ii) monitoring, improving and optimizing such Services (and therefore, incidentally, Company’s service offerings);
    8. Standard Contractual Clauses” means the Standard Contractual Clauses for Processors, as approved by the European Commission under Decision 2010/87/EU, or such standard contractual clauses or other contractual terms as may from time to time be approved by the European Commission instead of those clauses;
    9. Subprocessor” means any third party (excluding employees of Company but including any Affiliate of Company) engaged by Company to carry out on its behalf any Processing of any Client Personal Data under the Agreement; and
    10. User” means a user of or visitor to any of the Sites.
  2. SUBJECT MATTER, NATURE, PURPOSE AND DURATION. These Personal Data Processing Terms (in this Schedule, “these Terms”) apply in respect of all Processing of Client Personal Data under or in connection with the Agreement, whether by or on behalf of Client or Company. Such Processing: (a) may or may not be automated; (b) is for the Purpose; and (c) will continue during the Term of the Agreement and thereafter until all Client Personal Data Processed by Company or Client under or in connection with the Agreement has been deleted or returned to the Controller or is no longer Processed under or in connection with the Agreement (as the case may be). These Terms will remain in effect for so long as any such Processing continues, notwithstanding any termination of the Agreement.
  3. RELATIONSHIP BETWEEN THE PARTIES. Client is the Controller in respect of the Client Personal Data. Company is a Processor which Processes the Client Personal Data on behalf of the Client.
  4. COMPANY PROCESSING OF THE CLIENT PERSONAL DATA.
    1. Processing by Company. Company shall:
      1. Process the Client Personal Data only on documented instructions from Client, unless Company is required to Process such data by EU or Member State law to which it is subject (in which case, Company shall inform Client of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest). By agreeing to these Terms, Client hereby instructs Company to Process the Client Personal Data provided to Company under or in connection with the Agreement, for the Purpose and in accordance with these Terms. Company shall not Process the Client Personal Data except for the Purpose;
      2. ensure that persons authorized to Process the Client Personal Data by or on behalf of Company have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      3. taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, and comply with the other requirements of Article 32 of the GDPR;
      4. taking into account the nature of the processing, assist Client by appropriate technical and organizational measures, in so far as this is possible, for the fulfilment of Client’s obligations as Controller to respond to requests for exercising applicable Data Subjects’ rights with respect to their Client Personal Data laid down in Chapter III of the GDPR (Rights of the Data Subject);
      5. taking into account the nature of the processing and the information available to Company, assist Client, upon Client’s reasonable request from time to time, in ensuring compliance with Client’s obligations under Articles 32 to 36 of the GDPR;
      6. notify Client promptly if Company becomes aware of a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data (a “Security Incident”), provided that the provision of such notice by Company shall not be construed as an acknowledgement of fault or liability with respect to any such Security Incident;
      7. at the choice of Client, delete or return all Client Personal Data to Client within thirty (30) days after the end of the provision of the Services to Client, and delete existing copies, unless EU or Member State law requires storage of such Personal Data;
      8. make available to Client, upon Client’s reasonable request, information necessary to demonstrate compliance by Company with the obligations on it in these Terms, and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client. Such audits (whether or not including inspections) shall: (i) be conducted no more often than once in any period of twelve (12) months; and (ii) shall relate only to records, systems and other matter directly relevant to the Processing of Client Personal Data by Company under or in connection with the Agreement.
    2. Company Subprocessors. Client hereby grants Company general authorization to engage Subprocessors to assist Company in Processing Client Personal Data in accordance with these Terms. Company shall enter into contractual arrangements with such Subprocessors requiring the same level of data protection compliance and information security as that provided for in these Terms. Where any such Subprocessor fails to fulfil its obligations in respect of any Client Personal Data, Company shall remain fully liable to Client for the performance of such obligations. Company shall inform Client of any intended changes concerning the addition or replacement of any such Subprocessors, thereby giving Client the opportunity to object to such changes.
  5. CLIENT OBLIGATIONS.
    1. Client Obligations as Controller. Client shall:
      1. comply with its obligations as the Controller, under the European Data Protection Laws, in respect of all Processing of Client Personal Data under or in connection with the Agreement;
      2. ensure that all instructions issued by it to Company in respect of any Processing of Client Personal Data are lawful;
      3. provide or ensure that there are provided to all Users to whom any Client Personal Data relates all notices and information concerning the Processing of their Client Personal Data under or in connection with the Agreement, as are required by European Data Protection Laws;
      4. ensure that the Processing of Client Personal Data by Client and by Company under or in connection with the Agreement shall have a lawful basis of Processing pursuant to Article 6 of the GDPR. In each case where consent is the lawful basis for such Processing (including for any use of cookies, other local storage, or other means of collection of information from Users’ devices), Client shall obtain, or shall ensure that there shall have been obtained, the consent, in accordance with European Data Protection Law, of each User for such Processing of their Client Personal Data.
    2. Provision of Information. If at any time so requested by Company, Client shall promptly provide to Company such information as Company may reasonably require in order to demonstrate Client’s compliance with its obligations under these Terms. However, to avoid doubt, Company is not obliged to check such compliance or to advise Client in relation thereto, and such compliance is exclusively Client’s responsibility.
  6. PROCESSING OUTSIDE THE EEA.
    1. Safeguards by Company. Where Client Personal Data the Processing of which the GDPR applies is to be Processed by or on behalf of Company outside the EEA, or is to be Processed outside the EEA by any person who obtains such Client Personal Data from Company, Company shall ensure that a similar degree of protection is afforded to it as is afforded to it within the EU. Company may do this by ensuring at least one of the following safeguards is implemented:
      1. Such Processing takes place within a country that has been deemed to provide an adequate level of protection for Personal Data by the European Commission.
      2. Such Processing is done within the United States of America by a person who is a participant in the Privacy Shield and is therefore committed to comply with the Privacy Shield Principles.
      3. Such Processing is done by a person under the terms of a form of contract approved by the European Commission which gives Personal Data the same protection it has in the EU.
      4. Other measures are taken so that a similar degree of protection is afforded to such Client Personal Data, as within the EU, and such Processing is lawful.
    2. Standard Contractual Clauses. Any transfer to Company by Client of Client Personal Data under or in connection with the Agreement shall be deemed to be subject to the terms of the Standard Contractual Clauses, which are hereby incorporated by reference and deemed to be made a part of these Terms in their entirety. If and to the extent that the specific details to be completed within the Standard Contractual Clauses can be imputed from the details appearing in these Terms or elsewhere in the Agreement, they shall be so imputed. If and to the extent that the specific details to be completed within the Standard Contractual Clauses cannot be so imputed, or either Party requires them to be expressly completed, the other Party shall cooperate in completing such details to the requesting Party’s reasonable satisfaction.
  7. CONFLICTS OF TERMS. If and to the extent that the Standard Contractual Clauses (with specific details completed, as above) are inconsistent with any of these Terms, or with any other terms of the Agreement, the Standard Contractual Clauses will prevail. If and to the extent that these Terms are inconsistent with any other terms of the Agreement, these Terms will prevail.